Researcher Uncovers Twitter, Google Calendar Security Vulnerabilities

A security researcher uncovered some holes in Google Calendar and Twitter that may allow an attacker to steal cookies and user session IDs.

A security researcher has uncovered vulnerabilities in Twitter and
Google Calendar that could put users at risk.
In a proof of concept, researcher Nir Goldshlager demonstrated
cross-site scripting (XSS) vulnerabilities in Google Calendar and Twitter that
he said could be used to steal cookies and session IDs. He also uncovered an
HTML injection issue affecting Google Calendar as well that he said could be
used to redirect a victim to an attack site any time the user viewed his or her
Google Calendar agenda events.

Goldshlager sent the code to eWEEK, which in turn contacted
Twitter and Google about the vulnerabilities. Twitter issued a fix for the
issue Dec. 30, and Google told eWEEK Dec. 31 it would examine the input
validation process for the Google Calendar field to help address the
situation.

"We do not believe this report contains evidence of substantial
security issues," a spokesperson for Google told eWEEK. "Trying to
trick someone into copying unfamiliar, suspicious code into a Google Calendar
text field is neither a likely attack vector nor one that we are seeing being
exploited. ... Nonetheless, we will check the input validation mechanisms in
Google Calendar text fields to help prevent any abuse of this capability
before an event is sanitized."
According to Goldshlager, a penetration testing expert with Avnet
Information Security Consulting in Israel, the cross-site scripting
vulnerability can be exploited if a victim adds malicious code to his quick add
post calendar.
"When the victim ... [adds] this malicious code, his cookies [and]
session ID will be stolen and will be sent to the attacker site," he said.
"Then the attacker will be able to get full control of the victim's Google
accounts like: Google Calendar account, Google Groups, iGoogle, etc."

Goldshlager also demonstrated that the HTML injection
vulnerability could be used to log a user out of his Google account, something
the Google spokesman said "is of negligible security impact" and "can be
avoided by not clicking on the link."
"They should fix this immediately because an attacker can redirect a
victim to any site that he wants, and [with] the XSS issue an attacker can
steal the victim's cookies and get full control of his accounts," the
researcher said.